UPDATE: How to remove an accessor with TTL 0s and renewable false

caclp · December 19, 2020, 9:51am

bash-4.4# vault token lookup -tls-skip-verify -accessor HBHoY1DLWf0o6moTLYhFdA8Y
Key                  Value
---                  -----
accessor             HBHoY1DLWf0o6moTLYhFdA8Y
creation_time        1604473771
creation_ttl         24h
display_name         kubernetes-sec-sip-tls-service-account
entity_id            e1d180c3-4140-8f64-6aff-38a7b863375b
expire_time          <nil>
explicit_max_ttl     0s
id                   n/a
issue_time           2020-11-04T07:09:31.407508153Z
last_renewal         2020-12-06T07:09:31.428385336Z
last_renewal_time    1607238571
meta                 map[role:sec-sip-tls-sub-ca-role service_account_name:sec-sip-tls-service-account service_account_namespace:cc service_account_secret_name:sec-sip-tls-service-account-token-2lz4c service_account_uid:1dffb1c9-1419-463f-a458-a47dbd7aadc0]
num_uses             0
orphan               true
path                 auth/kubernetes/login
policies             [default sec-sip-tls-sub-ca-policy]
renewable            false
ttl                  0s
type                 service

bash-4.4# vault token lookup
Key                 Value
---                 -----
accessor            4TlbdUUBoEiLu2T5YplA3UOJ
creation_time       1600955122
creation_ttl        0s
display_name        root
entity_id           n/a
expire_time         <nil>
explicit_max_ttl    0s
id                  s.r6JlL64F8o1Nh8LFY8yb9eLI
meta                <nil>
num_uses            0
orphan              true
path                auth/token/root
policies            [root]
ttl                 0s
type                service
bash-4.4# 
bash-4.4# vault token revoke -accessor HBHoY1DLWf0o6moTLYhFdA8Y
Error revoking token: Error making API request.

URL: POST https://127.0.0.1:8200/v1/auth/token/revoke-accessor
Code: 400. Errors:

* token not found
bash-4.4# 
bash-4.4# vault token renew -accessor HBHoY1DLWf0o6moTLYhFdA8Y
Error renewing token: Error making API request.

URL: POST https://127.0.0.1:8200/v1/auth/token/renew-accessor
Code: 400. Errors:

* 1 error occurred:
        * invalid request


bash-4.4#

We got an accessor with TTL=0 and renewable=false. Try to revoke-accessor throught api interface or a terminal, we got error “HTTP 400, token not found”. I authorized as root

any idea? how to remove it? Why doesn’t vault clean it? TTL is 0.

vault version 1.4.2

Nick-Triller · December 19, 2020, 10:20pm

Hi @caclp ,

according to this page, ttl=0 indicates a token that never expires:

Therefore it seems correct the token isn’t cleaned up automatically

Try to revoke-accessor throught api interface, we got error “HTTP 400, token not found”.

Can you post the exact command? Revoking with something like vault token revoke -accessor vvCJauGOtoEDPXhUixfUfnNT should work.

Best
Nick

caclp · December 20, 2020, 1:04am

Hi, Nick

Thanks for your answer. Here is the command:

bash-4.4# vault token revoke -accessor HBHoY1DLWf0o6moTLYhFdA8Y
Error revoking token: Error making API request.

URL: POST https://127.0.0.1:8200/v1/auth/token/revoke-accessor
Code: 400. Errors:

* token not found
bash-4.4# 
bash-4.4# vault token renew -accessor HBHoY1DLWf0o6moTLYhFdA8Y
Error renewing token: Error making API request.

URL: POST https://127.0.0.1:8200/v1/auth/token/renew-accessor
Code: 400. Errors:

* 1 error occurred:
        * invalid request


bash-4.4#

Nick-Triller · December 20, 2020, 1:30am

Hi @caclp,

I don’t know what could be the cause for an accessor without associated token. However, you should be able to fix it by triggering /auth/token/tidy, see tidy tokens.

For each accessor found, tidy will check if the corresponding token still exists in storage, and if not will delete the accessor. If the token still exists in storage but shouldn’t, tidy will try to revoke it and any child leases it might have, then delete the accessor.

Best
Nick

caclp · December 20, 2020, 1:57am

HI, Nick

I found this post, seems the similar issue.
https://github.com/hashicorp/vault/issues/4391

And the author said:

We already tried that. It cleaned up entries with no valid data. i.e. it was just a token with no additoinal attributes, however the tidy still left the data there. It said something similar to “removing nil token” when removing the malformed ones.

We have ended up nuking the dynamoDB table and recreating it, however I thought I’d raise it as there seems to be no way of actually removing the tokens.

TTL=0 meaning “Never Expires” is just for ROOT TOKEN

Every non-root token has a time-to-live (TTL) associated with it, which is a current period of validity since either the token’s creation time or last renewal time, whichever is more recent. (Root tokens may have a TTL associated, but the TTL may also be 0, indicating a token that never expires). After the current TTL is up, the token will no longer function – it, and its associated leases, are revoked.

Nick-Triller · December 20, 2020, 2:08am

Hi @caclp,

the issue you found is quite old and refers to Vault v0.9.5. I think “tidy tokens” is worth a shot if you haven’t tried it. You are right about TTL, my bad.

caclp · December 20, 2020, 2:16am

HI, Nick

Yes, it’s very old post. I will think about your advice.

Thank you very much!